Two CVE’s for New Spring4Shell Zero-Day Vulnerability:
- CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression
https://tanzu.vmware.com/security/cve-2022-22963
- CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
https://tanzu.vmware.com/security/cve-2022-22965
Is Software Change Manager (Harvest) vulnerable?
Yes.
CA Harvest Software Change Manager versions 13.0.4,14.0.0,14.0.2
Impacted Components:
Rest API, SCM Mobile
NOTE: If you are not using the Rest API or the Mobile interface of Harvest , this fix will not be applicable and you remain unimpacted with this vulnerability
1. Workaround:
If you are using Adopt OpenJDK 11, you would need to downgrade to Adopt OpenJDK 8 as a temporary work around.
2. Fix Details
If you are continuing using Adopt OpenJDK 11, a fix is also available to address the vulnerability.
For more details about the available fixes on the specific release, refer to the table below
Sl.No |
Release |
Fix Details and Support page links |
1 |
14.0.2 |
https://support.broadcom.com/web/ecx/solutiondetails?aparNo=99111467&os=WINDOWS-ALL |
2 |
14.0.0 |
https://support.broadcom.com/web/ecx/solutiondetails?aparNo=99111471&os=WINDOWS-ALL |
3 |
13.0.4 |
https://support.broadcom.com/web/ecx/solutiondetails?aparNo=99111472&os=WINDOWS-ALL |
If you have further questions, raise a support ticket with Broadcom